From: Pavel Emelyanov <xemul@openvz.org>
To: Andrew Morton <akpm@linux-foundation.org>
Cc: Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
Serge Hallyn <serue@us.ibm.com>
Subject: [PATCH 2/2] devscgroup: make white list more compact in some cases
Date: Thu, 05 Jun 2008 12:45:50 +0400 [thread overview]
Message-ID: <4847A7BE.5010603@openvz.org> (raw)
Consider you added a 'c foo:bar r' permission to some cgroup and then
(a bit later) 'c'foo:bar w' for it. After this you'll see a
c foo:bar r
c foo:bar w
lines in a devices.list file.
Another example - consider you added 10 'c foo:bar r' permissions to
some cgroup (e.g. by mistake). After this you'll see 10
c foo:bar r
lines in a list file.
This is weird. This situation also has one more annoying consequence.
Having many items in a white list makes permissions checking slower,
sine it has to walk a longer list.
The proposal is to merge permissions for items, that correspond to the
same device.
Signed-off-by: Pavel Emelyanov <xemul@openvz.org>
---
security/device_cgroup.c | 18 ++++++++++++++++--
1 files changed, 16 insertions(+), 2 deletions(-)
diff --git a/security/device_cgroup.c b/security/device_cgroup.c
index f9941a7..baf3488 100644
--- a/security/device_cgroup.c
+++ b/security/device_cgroup.c
@@ -106,7 +106,7 @@ free_and_exit:
static int dev_whitelist_add(struct dev_cgroup *dev_cgroup,
struct dev_whitelist_item *wh)
{
- struct dev_whitelist_item *whcopy;
+ struct dev_whitelist_item *whcopy, *walk;
whcopy = kmalloc(sizeof(*whcopy), GFP_KERNEL);
if (!whcopy)
@@ -114,7 +114,21 @@ static int dev_whitelist_add(struct dev_cgroup *dev_cgroup,
memcpy(whcopy, wh, sizeof(*whcopy));
spin_lock(&dev_cgroup->lock);
- list_add_tail(&whcopy->list, &dev_cgroup->whitelist);
+ list_for_each_entry(walk, &dev_cgroup->whitelist, list) {
+ if (walk->type != wh->type)
+ continue;
+ if (walk->major != wh->major)
+ continue;
+ if (walk->minor != wh->minor)
+ continue;
+
+ walk->access |= wh->access;
+ kfree(whcopy);
+ whcopy = NULL;
+ }
+
+ if (whcopy != NULL)
+ list_add_tail(&whcopy->list, &dev_cgroup->whitelist);
spin_unlock(&dev_cgroup->lock);
return 0;
}
--
1.5.3.4
next reply other threads:[~2008-06-05 8:53 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-06-05 8:45 Pavel Emelyanov [this message]
2008-06-05 14:23 ` [PATCH 2/2] devscgroup: make white list more compact in some cases Serge E. Hallyn
2008-06-05 19:16 ` Serge E. Hallyn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4847A7BE.5010603@openvz.org \
--to=xemul@openvz.org \
--cc=akpm@linux-foundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=serue@us.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.